• [4f780905c5] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788
• [4a09efb947] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485
• [e4c0d99839] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164
• [0226c8dd7a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382
• [e742ab748c] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256
• [73cac0571a] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151
• [ae5c162b93] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #61730
• [b819cb9977] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #61603
• [bbcce09dc7] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150
• [22ff2d81ce] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930
• [f49b51d75c] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928
• [1a5cec0d49] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925
• [d339497688] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #61879
• [3ff8ffd459] - deps: remove stale OpenSSL arch configs (René) #61834
• [b8ddbc1e9a] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827
• [ffda97afd4] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484
• [79aa32cf4f] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927
• [b6957e13b6] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #62629
• [3a27669063] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #62629
• [d568a1bb53] - deps: upgrade npm to 10.9.8 (npm team) #62463
• [ec11f3c1d5] - deps: V8: backport 85b390089e51 (Thibaud Michaud) #62783
• [08609712ed] - deps: V8: backport 1b27e4674f11 (Thibaud Michaud) #62783
• [dcc60d5ab2] - deps: V8: backport 9997fc013952 (Thibaud Michaud) #62783
• [1d1f4451fb] - deps: V8: cherry-pick b96e40d5ac85 (Clemens Backes) #62783
• [2268567237] - deps: V8: cherry-pick 7cb6188cf913 (Thibaud Michaud) #62783
• [92804cdbea] - deps: V8: cherry-pick e7ccf0af1bdd (Thibaud Michaud) #62783
• [eae2c27a40] - deps: V8: cherry-pick 8e214ec3ec8c (Thibaud Michaud) #62783
• [a1799a49bb] - deps: V8: backport 63b8849d73ae (Thibaud Michaud) #62783
• [a2df2d8731] - deps: V8: backport 323942700cfe (Thibaud Michaud) #62783
• [e3d65c7dca] - deps: V8: backport 89dc6eab605c (Thibaud Michaud) #62783
• [5e7db133de] - deps: V8: backport 910cb91733dc (Jakob Kummerow) #62783
• [d0c24a28af] - deps: V8: cherry-pick b8f91e510e0f (Thibaud Michaud) #62783
• [d358687824] - deps: V8: cherry-pick cf03d55db2a0 (Thibaud Michaud) #62783
• [67c8b2c349] - deps: V8: cherry-pick 692f3d526a38 (Sébastien Doeraene) #62783
• [71e5a59ffd] - deps: V8: cherry-pick c734674e03f9 (Manos Koukoutos) #62783
• [f0dbe81c7b] - deps: V8: cherry-pick b2f3aea23a01 (Thibaud Michaud) #62783
• [d333f480c3] - deps: V8: cherry-pick 5f1342c20b59 (Matthias Liedtke) #62783
• [db722725bb] - deps: use npm undici@six tag in update-undici.sh (Matteo Collina) #63012
• [9b57979d9c] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423
• [d8075585bf] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355
• [6ec9a70204] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208
• [1fc86fcb6e] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #62075
• [491be80bd9] - doc: add efekrskl as triager (Efe) #61876
• [18558293a3] - doc: fix module.stripTypeScriptTypes indentation (René) #61992
• [8e20976522] - doc: explicitly mention Slack handle (Rafael Gonzaga) #61986
• [70b8e6b4fb] - doc: rename invalid function parameter (René) #61942
• [4045c76f6c] - doc: clarify status of feature request issues (Antoine du Hamel) #61505
• [c54652f2aa] - doc: remove incorrect mention of module in typescript.md (Rob Palmer) #61839
• [9fad6cedf5] - doc: clarify async caveats for events.once() (René) #61572
• [2f1e5733fe] - doc: update Juan's security steward info (Juan José) #61754
• [a64bdb5068] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206
• [02797de923] - doc: fix small environment_variables typo (chris) #62279
• [f22ebdc809] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #62025
• [9f4508062a] - doc: fix methods being documented as properties in process.md (Antoine du Hamel) #61765
• [3ea39ff135] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #61735
• [c22445079b] - doc: fix spacing in process message event (Aviv Keller) #61756
• [32831b5223] - doc: fix broken links of net.md (YuSheng Chen) #61673
• [005508d509] - doc: remove obsolete Boxstarter automated install (Mike McCready) #61785
• [37c2fd6f7d] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #62080
• [1769d74613] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #59679
• [ee02966ffc] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #61710
• [2fdb5ce6cc] - http2: fix FileHandle leak in respondWithFile (sangwook) #61707
• [aa2c1eca04] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990
• [785b00cbeb] - meta: pass release version to release worker (flakey5) #62777
• [447fb9a0b5] - meta: persist sccache daemon until end of build workflows (René) #61639
• [5065a0acb3] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #61529
• [9a2e21305d] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #61479
• [b9240bc063] - module: fix sync resolve hooks for require with node: prefixes (Joyee Cheung) #61088
• [2e91b28aaf] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #59929
• [39147c154e] - module: use sync cjs when importing cts (Marco Ippolito) #60072
• [12a2462b2c] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #59874
• [cf39566277] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948
• [578a9a9230] - src: clamp WriteUtf8 capacity to INT_MAX in EncodeInto (semimikoh) #62621
• [57c3035fec] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #61884
• [57fb008bb8] - test: update tls junk data error expectations (Filip Skokan) #62629
• [363f9a9d18] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #62019
• [daaead342b] - test: simplify encodeInto large buffer regression test (semimikoh) #62621
• [ecfa766b41] - tools: fix auto-start-ci (Antoine du Hamel) #61900
• [17c0a610af] - tools: fix parsing of commit trailers in lint-release-proposal GHA (Antoine du Hamel) #62077
• [89ad7dc63b] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #61672
• [5f9bb8ef0c] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #62024
• [977ef80ac1] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #62574
• [ad8f518a81] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325

Node.js now includes an experimental node:ffi module for loading dynamic libraries and calling native symbols from JavaScript.

The API is gated behind the --experimental-ffi flag and, when the Permission Model is enabled, requires --allow-ffi.

This API is inherently unsafe. Invalid pointers, incorrect signatures, or accessing memory after it has been freed can crash the process or corrupt memory.

Contributed by Paolo Insogna in #62072.

• [34a6454fe3] - (SEMVER-MINOR) buffer: add end parameter (Robert Nagy) #62390
• [073e84d7fe] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527
• [5b9cb10a5f] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
• [98f9becd16] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
• [06defaa2ea] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #57775
• [db66a963bf] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277
• [87adb3472b] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #63082
• [9047ec12ce] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #62541
• [ab66de8eaa] - (SEMVER-MINOR) process: throw on execve(2) failure instead of aborting (Bryan English) #62878
• [8273682c87] - (SEMVER-MINOR) src: allow empty --experimental-config-file (Marco Ippolito) #61610
• [fbff28f7e6] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098
• [a8c773a0c7] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #62820
• [b883a5eaea] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751
• [a21ae1771e] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747
• [b85c73ff10] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556

• [1b959d02c2] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #62509
• [bbeb38d210] - buffer: fix end parameter bugs in indexOf/lastIndexOf (Robert Nagy) #62711
• [34a6454fe3] - (SEMVER-MINOR) buffer: add end parameter (Robert Nagy) #62390
• [8b91526cd5] - build: track PDL files as inputs in inspector GN build (Robo) #62888
• [da40ed7842] - build: remove armv6 from experimental platforms (René) #63063
• [b36e55a23e] - build: make test-addons dependency-free (Joyee Cheung) #62388
• [c27f3cf8f2] - build: add --enable-all-experimentals build flag (Paolo Insogna) #62755
• [0d73b63a76] - build: fix cargo check when Temporal is disabled (Antoine du Hamel) #62730
• [d8f97e6f7b] - build: fix ffi dependency compilation (Paolo Insogna) #62731
• [d1eb7b340f] - build: fix stray debug string in LIEF defines (Om Ghante) #62683
• [845283009d] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #62667
• [a6e99879f4] - build,win: enable x64 PGO (Stefan Stojanovic) #62761
• [38befee0fb] - crypto: add JWK support for ML-KEM and SLH-DSA key types (Filip Skokan) #62706
• [b10653ad87] - crypto: add guards and adjust tests for BoringSSL (Filip Skokan) #62883
• [2a7a69c6b0] - crypto: reject unintended raw key format string input (Filip Skokan) #62974
• [bad1e2fe6a] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839
• [c9d5bae598] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #62863
• [6eea52426f] - crypto: reject duplicate ML-KEM JWK key_ops (Filip Skokan) #62905
• [80d4836616] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #62902
• [8950247027] - crypto: reject inherited key type names (Jonathan Lopes) #62875
• [3f42f9615a] - crypto: strengthen argument CHECKs in TurboSHAKE (Tobias Nießen) #62763
• [28346d999b] - crypto: guard against size_t overflow on experimental 32-bit arch (Filip Skokan) #62626
• [d4cec263c4] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527
• [073e84d7fe] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527
• [518b578fe7] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #59051
• [5b9cb10a5f] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
• [7133826053] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #63013
• [98f9becd16] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
• [94ac62a2d1] - deps: update undici to 8.2.0 (Node.js GitHub Bot) #63092
• [ef71de87e6] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #63090
• [c4f0ef881a] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045
• [d29fbc0029] - deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
• [537825acee] - deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891
• [4446bf694d] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #62810
• [8f55327f1c] - deps: fix libffi macos build (Paolo Insogna) #63006
• [3dee18f72f] - deps: patch V8 to 14.6.202.34 (Node.js GitHub Bot) #62964
• [e281b247e6] - deps: update timezone to 2026b (Node.js GitHub Bot) #62962
• [4dd982df13] - deps: upgrade npm to 11.13.0 (npm team) #62898
• [61c0ff4a13] - deps: cherry-pick libuv/libuv@439a54b (skooch) #62881
• [d26ca462ae] - deps: update undici to 8.1.0 (Node.js GitHub Bot) #62728
• [6f08489ac9] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #62699
• [713601e8bd] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #62698
• [578cf1c0c1] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #62629
• [4a4ef13c67] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #62629
• [2f3eca8c1e] - deps: update perfetto to 54.0 (Chengzhong Wu) #62397
• [944ed9b739] - deps: add perfetto build files (Chengzhong Wu) #62397
• [15530a7484] - deps: update ngtcp2 to 1.22.0 (Node.js GitHub Bot) #62595
• [b813b4c4b5] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #62594
• [38e7ce58c5] - deps: update googletest to d72f9c8aea6817cdf1ca0ac10887f328de7f3da2 (Node.js GitHub Bot) #62593
• [b5c573ed14] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #62592
• [318e2c7cd3] - deps: libuv: cherry-pick aabb7651de (Santiago Gimeno) #62561
• [c6ccbd742a] - deps: libuv: reapply 3a9a6e3e6b (Andy Pan) #62561
• [4ad07de7ae] - diagnostics_channel: add BoundedChannel and scopes (Stephen Belanger) #61680
• [44416ea3fd] - doc: fix documentation history missing 25.9.0 (Antoine du Hamel) #63151
• [5f6dfbf68e] - doc: fix changelog for chromium numbering (Rafael Gonzaga) #63133
• [30c4b3658c] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #63093
• [ca3c3097f1] - doc: minor structural stream/iter edits (René) #63089
• [92324aab6f] - doc: remove typo comma from man page (Vas Sudanagunta) #63080
• [712a15da73] - doc: correct diagnostics_channel built-in channel names (Bryan English) #62995
• [c92cb6fe0d] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #62884
• [020776d4d6] - doc: fix typo in test.md (Rich Trott) #62960
• [7d52f2061e] - doc: correct typo in PR contribution instructions (Mike McCready) #62738
• [70e8944676] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #62917
• [11c6c29284] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #62917
• [242adab671] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #62917
• [b9f3abd63e] - doc: fix doubled word typo in stream_iter.md (Daijiro Wachi) #62916
• [7a52fd0448] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #62882
• [acd7e18a8c] - doc: fix Argon2 parameter bounds (Tobias Nießen) #62868
• [b43ecf40bb] - doc: trust FFI in the threat model (Paolo Insogna) #62852
• [981ce96b03] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #62828
• [acc52ef257] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #62205
• [ae87597c07] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #62841
• [1cd3694a5f] - doc: clarify dns.lookup() callback signature when all is true (eungi) #62800
• [40a4337d65] - doc: add experimental modules lifetime policy (Paolo Insogna) #62753
• [46f48222f8] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #62537
• [6eb9917497] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #62687
• [3826c5ed7e] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #62668
• [5d7e0dbbd8] - doc: update WPT test runner README.md (Filip Skokan) #62680
• [e9d76b2a75] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #62663
• [1ae41cebb0] - doc: note GCC >= 14 requirement for native riscv64 builds (Jamie Magee) #62607
• [9b29be6a28] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #62600
• [5ae59553f6] - doc: update bug bounty program (Rafael Gonzaga) #62590
• [ce3f4c85dd] - doc: document TransformStream transformer.cancel option (Tom Pereira) #62566
• [08a9ba73e4] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #62504
• [32f2169ede] - doc,src,test: fix dead inspector help URL (semimikoh) #62745
• [870c1cd3f4] - doc,test: mem protection must be observed in ffi (Bryan English) #62818
• [3d5cf171dc] - esm: add ERR_REQUIRE_ESM_RACE_CONDITION (Antoine du Hamel) #62462
• [2004d8d6db] - ffi: make FFIFunctionInfo a BaseObject subclass (Anna Henningsen) #63071
• [53eb7abeba] - ffi: prevent premature GC of DynamicLibrary (semimikoh) #63024
• [58dc92f502] - ffi: support Symbol.dispose on DynamicLibrary (Matteo Collina) #62925
• [528f8b2bae] - ffi: add shared-buffer fast path for numeric and pointer signatures (Bryan English) #62918
• [42ac8b9ae7] - fs: add followSymlinks option to glob (Matteo Collina) #62695
• [873c2bca70] - fs: restore fs patchability in ESM loader (Joyee Cheung) #62835
• [349c7502c3] - fs: validate position argument before length === 0 early return (Edy Silva) #62674
• [06defaa2ea] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #57775
• [db66a963bf] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277
• [3191d2936a] - http: emit 'drain' on OutgoingMessage only after buffers drain (Robert Nagy) #62936
• [87adb3472b] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #63082
• [e0b79633f6] - http: fix leaked error listener on sync HTTP req create + destroy (Tim Perry) #62872
• [70c5491f53] - http: fix no_proxy leading-dot suffix matching (Daijiro Wachi) #62333
• [60a585e68a] - http: cleanup pipeline queue (Robert Nagy) #62534
• [9047ec12ce] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #62541
• [01eed5901b] - http2: expose writable stream state on compat response (T) #63003
• [19b7adf3ba] - inspector: fix absolute URLs in network http (bugyaluwang) #62955
• [4d10823fbb] - inspector: coerce key and value to string in webstorage events (Ali Hassan) #62616
• [9a3ac66cc5] - inspector: return errors when CDP protocol event emission fails (Ryuhei Shima) #62162
• [c89501c6e5] - inspector: auto collect webstorage data (Ryuhei Shima) #62145
• [ef08c5016a] - lib: refactor internal webidl converters (Filip Skokan) #62979
• [d0744c6a99] - lib: add Temporal to frozen intrinsics (René) #63029
• [6d81cb17b3] - lib: avoid quadratic shift() in startup snapshot callback (Daijiro Wachi) #62914
• [3491f73051] - lib: fix FLOAT_32 and FLOAT_64 type constants in ffi (Daijiro Wachi) #62892
• [c4ca303b36] - lib: harden kKeyOps lookup with null prototype (Filip Skokan) #62877
• [2e612fe070] - lib: short-circuit WebIDL BufferSource SAB check (Filip Skokan) #62833
• [e850ee9c69] - lib: add new methods and error codes (Paolo Insogna) #62762
• [e21b873589] - lib: use js-only implementation of isDataView() (René) #62780
• [f454d1719d] - lib: fix lint in internal/webstreams/util.js (Filip Skokan) #62806
• [fbd8ededba] - lib: fix sequence argument handling in Blob constructor (Ms2ger) #62179
• [16860e6abd] - lib: improve Web Cryptography key validation ordering (Filip Skokan) #62749
• [ba3f3e1753] - lib: reject SharedArrayBuffer in web APIs per spec (Ali Hassan) #62632
• [d065e996bb] - lib: defer AbortSignal.any() following (sangwook) #62367
• [2a711f4b0c] - (SEMVER-MINOR) lib,src,test,doc: add node:ffi module (Colin Ihrig) #62072
• [d578343582] - meta: bump github/codeql-action from 4.35.1 to 4.35.3 (dependabot[bot]) #63074
• [1b4b90d544] - meta: bump Mozilla-Actions/sccache-action from 0.0.9 to 0.0.10 (dependabot[bot]) #63073
• [1477349e47] - meta: bump actions/upload-artifact from 7.0.0 to 7.0.1 (dependabot[bot]) #63072
• [ecb7de271a] - meta: bump cachix/install-nix-action from 31.10.3 to 31.10.5 (dependabot[bot]) #62846
• [fb91408312] - meta: bump actions/upload-artifact from 7.0.0 to 7.0.1 (dependabot[bot]) #62850
• [7eb9a6be68] - meta: add automation policy (Chengzhong Wu) #62871
• [6f053a4cb8] - meta: update CODEOWNERS for FFI (Paolo Insogna) #62853
• [88fe50a725] - meta: move VoltrexKeyva to emeritus (Matteo Collina) #62895
• [42e770bdd0] - meta: bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (dependabot[bot]) #62845
• [952d005233] - meta: bump step-security/harden-runner from 2.16.1 to 2.19.0 (dependabot[bot]) #62844
• [1bd19d9768] - meta: bump actions/github-script from 8.0.0 to 9.0.0 (dependabot[bot]) #62843
• [386244a7dd] - meta: bump actions/setup-node from 6.3.0 to 6.4.0 (dependabot[bot]) #62842
• [16b2c41f70] - meta: broaden stale bot (Aviv Keller) #62658
• [41e7a4ba82] - meta: pass release version to release worker (flakey5) #62777
• [632821db85] - meta: add QUIC to CODEOWNERS (Tim Perry) #62652
• [4a7ad93ed8] - meta: move Michael to emeritus (Michael Dawson) #62536
• [44d5a33efb] - meta: populate apt list for slim runner in update-openssl workflow (René) #62628
• [d874596aa3] - meta: bump cachix/install-nix-action from 31.9.1 to 31.10.3 (dependabot[bot]) #62551
• [1631b27e2b] - meta: bump step-security/harden-runner from 2.15.0 to 2.16.1 (dependabot[bot]) #62550
• [4de376894d] - meta: bump actions/download-artifact from 8.0.0 to 8.0.1 (dependabot[bot]) #62549
• [39da4d7bd6] - meta: bump actions/setup-node from 6.2.0 to 6.3.0 (dependabot[bot]) #62548
• [62e3aa55ad] - meta: bump github/codeql-action from 4.32.4 to 4.35.1 (dependabot[bot]) #62547
• [83986de8a2] - meta: bump codecov/codecov-action from 5.5.2 to 6.0.0 (dependabot[bot]) #62545
• [18e56861dc] - meta: bump cachix/cachix-action from 16 to 17 (dependabot[bot]) #62544
• [d4e49d567a] - meta: bump actions/cache from 5.0.3 to 5.0.4 (dependabot[bot]) #62543
• [2c5a914af4] - meta: require DCO signoff in commit message guidelines (James M Snell) #62510
• [f21039ce59] - meta: expand memory leak DoS criteria to all DoS (Joyee Cheung) #62505
• [824ac6b5bf] - module: exclude node:ffi from builtinModules when not enabled (Jordan Harband) #63158
• [bb6293ab7c] - module: remove duplicated checks from _resolveFilename (Antoine du Hamel) #62729
• [34ec8c9f5c] - module,win: fix long subpath import (Stefan Stojanovic) #62101
• [de46e68918] - node-api: update libuv ABI stability note (Chengzhong Wu) #62789
• [78c7d77bbf] - node-api: add napi_create_external_sharedarraybuffer (Ben Noordhuis) #62623
• [a0ccf94f61] - node-api: execute tsfn finalizer after queue drains when aborted (Kevin Eady) #61956
• [ab66de8eaa] - (SEMVER-MINOR) process: throw on execve(2) failure instead of aborting (Bryan English) #62878
• [20151be8cb] - process: handle rejections only when needed (Gürgün Dayıoğlu) #62919
• [9b24a815a2] - quic: add QuicEndpoint.listening & QuicStream.destroy() and tests (Tim Perry) #62648
• [761a96740c] - quic: fixup token verification to handle zero expiration (James M Snell) #62620
• [4ade02ac85] - quic: support multiple ALPN negotiation (James M Snell) #62620
• [b2e2e648e4] - quic: apply multiple TLS context improvements and SNI support (James M Snell) #62620
• [56b941af4a] - quic: implement rapidhash for hashing improvements (James M Snell) #62620
• [7cda4300b8] - quic: use arena allocation for packets (James M Snell) #62589
• [1e8fa2f1bd] - sqlite: use OneByte for ASCII text and internalize col names (Ali Hassan) #61954
• [3af44ee508] - sqlite: add serialize() and deserialize() (Ali Hassan) #62579
• [6386914b4b] - src: decouple KeyObject and CryptoKey and move CryptoKey to src (Filip Skokan) #62924
• [2dc1d205ee] - src: replace uses of deprecated v8::External APIs (gahaas) #61898
• [cb33a794a5] - src: remove license headers for new node_profiling files (Chengzhong Wu) #63066
• [59860eb798] - src: swap dotenv and config file parsing order (Marco Ippolito) #63035
• [fda439cb58] - src: use unique_ptr for ffi memory management (Anna Henningsen) #63071
• [56917afc57] - src: split profiling helpers from util (Ilyas Shabi) #63008
• [fca56a409d] - src: add missing <cstdlib> for abort() declaration (Charles Kerr) #63001
• [d49c89e915] - src: make node.config.json throw at unknown fields (Marco Ippolito) #62992
• [e89c8e9b68] - src: fix crash in GetErrorSource() for invalid using syntax (semimikoh) #62770
• [d89f719ce0] - src: remove outdated comments in contextify (Chengzhong Wu) #62932
• [5117a3e52b] - src: simplify TCPWrap::Connect signature (Anna Henningsen) #62929
• [41bd288ec7] - src: align FFI error handling with Node.js source (Anna Henningsen) #62858
• [faaccfb9df] - src: simplify and fix FFI ArrayBuffer accesses (Anna Henningsen) #62857
• [43bf39c350] - src: use DCHECK in AsyncWrap::MakeCallback instead emiting a warning (Gerhard Stöbich) #62795
• [da52b09859] - src: fix MaybeStackBuffer char_traits deprecation warning (om-ghante) #62507
• [2b12bca317] - src: use context-free V8 message column getters (René) #62778
• [7efc2ce7b3] - src: clean up experimental flag variables (Antoine du Hamel) #62759
• [8273682c87] - (SEMVER-MINOR) src: allow empty --experimental-config-file (Marco Ippolito) #61610
• [b844c24395] - src: coerce spawnSync args to string once (Antoine du Hamel) #62633
• [28679d76c4] - src: use stack allocation for small string encoding (Ali Hassan) #62431
• [144ef93735] - src: add contextify interceptor debug logs (Chengzhong Wu) #62460
• [d34cfb512e] - stream: remove redundant method check from iter.pipeToSync (René) #63099
• [a95830b72a] - stream: copyedit webstreams/adapter.js (Antoine du Hamel) #63034
• [4bf3e1e084] - stream: remove duplicated utility (Antoine du Hamel) #63031
• [214a8c197b] - stream: simplify setPromiseHandled utility (Antoine du Hamel) #63032
• [c12a767ff2] - stream: validate ReadableStream.from iterator objects (Daeyeon Jeong) #62911
• [b09953d2d4] - stream: reject duplicate nested transferables (Daeyeon Jeong) #62831
• [b9929622f3] - stream: ensuring cross-destruction in _duplexify to prevent leaks (Daijiro Wachi) #62824
• [c51a39b3ec] - stream: simplify readableStreamFromIterable (Antoine du Hamel) #62651
• [36078574b9] - stream: fix nested compose error propagation (Matteo Collina) #62556
• [e1928cd481] - stream: allow shared array buffer sources in writable webstream adapter (René) #62163
• [450e0519d9] - stream: simplify createPromiseCallback (Antoine du Hamel) #62650
• [57e59ea070] - stream: fix writev unhandled rejection in fromWeb (sangwook) #62297
• [958373413c] - stream: noop pause/resume on destroyed streams (Robert Nagy) #62557
• [ee38d2c43d] - stream: refactor duplexify to be less suceptible to prototype pollution (Antoine du Hamel) #62559
• [fbff28f7e6] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098
• [d7317f4f90] - stream: add stream/iter to classic stream adapters (James M Snell) #62469
• [55298c443f] - test: accept OpenSSL 4 generic internal error for DH key-type mismatches (Filip Skokan) #62805
• [96581bccc7] - test: update WPT for url to 258f285de0 (Node.js GitHub Bot) #63087
• [c73aba07fb] - test: run Temporal presence checks without V8 flag (René) #63028
• [9c94dce55b] - test: export isRiscv64 from common module (Jamie Magee) #62609
• [33c5f7fdbf] - test: normalize known inspector crash as completion (Joyee Cheung) #62851
• [8146a97bc3] - test: update WPT for streams to f8f26a372f (Node.js GitHub Bot) #62864
• [7c77c301c9] - test: account for RFC 7919 FFDHE negotiation in OpenSSL 4.0 (Filip Skokan) #62805
• [9bf7604eb6] - test: skip tls-deprecated secp256k1 on OpenSSL 4.0 (Filip Skokan) #62805
• [d173604b53] - test: use an always invalid cipher and cover OpenSSL 4.0 behaviours (Filip Skokan) #62805
• [72f52163b4] - test: use valid DER OCSP responses (Filip Skokan) #62805
• [e242394ad9] - test: skip test-tls-error-stack when engines are unsupported (Filip Skokan) #62805
• [9bff52ebf8] - test: accept renamed OpenSSL 4.0 error code and reason (Filip Skokan) #62805
• [d9b8cc1b68] - test: update test/addons/openssl-binding for OpenSSL 4.0 (Filip Skokan) #62805
• [960fb16287] - test: mark test-snapshot-reproducible flaky (Filip Skokan) #62808
• [7a12dd58cf] - test: check contextify contextual store behavior in strict mode (René) #62571
• [c73c8e603f] - test: skip test-temporal-with-zoneinfo on system-icu builds (Antoine du Hamel) #62754
• [48a3ca303e] - test: generate localstorage.db in a temp dir (Chengzhong Wu) #62660
• [1a41c2c5db] - test: update tls junk data error expectations (Filip Skokan) #62629
• [115e8c2052] - test: ensure WPT report is in out/wpt (Filip Skokan) #62637
• [cb07b918bd] - test: improve WPT runner summary (Filip Skokan) #62636
• [7f48438380] - test: skip url WPT subtests instead of modifying test script (Filip Skokan) #62635
• [4097fb95d7] - test: capture negative utimes mtime at call time (Yuya Inoue) #62490
• [e29f46df81] - test: allow skipping individual WPT subtests (Filip Skokan) #62517
• [4d546886c3] - test: use on-disk fixture for test-npm-install (Joyee Cheung) #62584
• [5b35eb02ec] - test: update WPT for url to 7a3645b79a (Node.js GitHub Bot) #62591
• [7a8610835d] - test_runner: fix failing suite hooks when marked with todo (Moshe Atlow) #63097
• [a8c773a0c7] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #62820
• [dc0d757c8a] - test_runner: fix suite rerun edge case (Moshe Atlow) #62860
• [b883a5eaea] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751
• [6fa62b7d58] - test_runner: add testId to test events (Moshe Atlow) #62772
• [39e08340ff] - test_runner: publish to TracingChannel for OTel instrumentation (Moshe Atlow) #62502
• [a21ae1771e] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747
• [cf0edeb65d] - test_runner: add passed, attempt, and diagnostic to SuiteContext (Moshe Atlow) #62504
• [644e2399d6] - test_runner: add getTestContext() (Moshe Atlow) #62501
• [480d538830] - tools: use npm ci in Undici update script (Antoine du Hamel) #63098
• [9afb013edd] - tools: update nixpkgs-unstable to c6d65881c5624c9cae5ea6cedef24699b0c (Node.js GitHub Bot) #63091
• [b9f2f5a90a] - tools: bump postcss from 8.5.8 to 8.5.10 in /tools/doc (dependabot[bot]) #62966
• [09e4f4caca] - tools: use LTS Node.js in notify-on-push workflow (Nenad Spasenic) #63084
• [2af4c89774] - tools: implements a few nits on build-aarch64-linux-v8 (Antoine du Hamel) #63048
• [cf9c1849ca] - tools: update gr2m/create-or-update-pull-request-action to v1.10.1 (Mike McCready) #63065
• [96370a57ed] - tools: simplify update-undici.sh (Antoine du Hamel) #63044
• [b90486edd8] - tools: do not run test-linux on unrelated tools changes (Antoine du Hamel) #63037
• [ac49e7c9fc] - tools: migrate from openssl-matrix.json to openssl-matrix.nix (Antoine du Hamel) #63036
• [a9df3e37fd] - tools: update labels for nixpkgs pin bumps (Antoine du Hamel) #62994
• [cee0154af8] - tools: reuse V8 builds even without Cachix on test-shared (Antoine du Hamel) #62980
• [78c183da6b] - tools: do not include HTML docs in slim tarball (Antoine du Hamel) #62989
• [04ce9df084] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #62848
• [4d2952c00a] - tools: update nixpkgs-unstable to 01fbdeef22b76df85ea168fbfe1bfd9e636 (Node.js GitHub Bot) #62963
• [555ad12f27] - tools: update gyp-next to 0.22.1 (Node.js GitHub Bot) #62961
• [f92cbc2c81] - tools: fix commit linter for semver-major release proposals (Antoine du Hamel) #62993
• [3b5bb4d758] - tools: consolidate and simplify .editorconfig deps section (Daijiro Wachi) #62887
• [027bef4f3e] - tools: add non-default OpenSSL versions to the test-shared workflow (Filip Skokan) #62862
• [fdcd7752de] - tools: set bot as author of tools-deps-update PRs (Antoine du Hamel) #62856
• [ab7be6d987] - tools: bump brace-expansion from 5.0.4 to 5.0.5 in /tools/eslint (dependabot[bot]) #62458
• [82281ffd59] - tools: bump brace-expansion in /tools/clang-format (dependabot[bot]) #62467
• [48bb51b3d7] - tools: update nixpkgs-unstable to ab72be9733b41190ea34f1422a3e4e243ed (Node.js GitHub Bot) #62821
• [67baa3254b] - tools: bump @node-core/doc-kit in /tools/doc in the doc group (dependabot[bot]) #62512
• [bdee0a859d] - tools: exclude @node-core/doc-kit from dependabot cooldown (Levi Zim) #62775
• [9e19f55214] - tools: re-enable undici WPTs in daily wpt.fyi job (Filip Skokan) #62677
• [1eedbdded9] - tools: use upstream version of OpenSSL in test-shared (Antoine du Hamel) #62679
• [3490c1fba1] - tools: pass the Temporal disable flag when disabled in shell.nix (Antoine du Hamel) #62733
• [3a29dafd2d] - tools: fix --shared-ffi compilation on macOS (Antoine du Hamel) #62737
• [5cb9108b9c] - tools: update nixpkgs-unstable to 13043924aaa7375ce482ebe2494338e0582 (Node.js GitHub Bot) #62700
• [757cd21ea0] - tools: update gyp-next to 0.22.0 (Node.js GitHub Bot) #62697
• [fad51c2f03] - tools: add a check for clean git tree after tests (Antoine du Hamel) #62661
• [d1c517fd61] - tools: improve backport review script (Antoine du Hamel) #62573
• [6d169c75f7] - tools: make v8.nix more stable (Antoine du Hamel) #62508
• [1587a60bf8] - tools: add perfetto updater (Chengzhong Wu) #62397
• [f54d74a5e7] - tools: improve output for unexpected passes in WTP tests (Antoine du Hamel) #62587
• [a86c96333c] - tools: revert OpenSSL update workflow to ubuntu-latest (Richard Lau) #62627
• [c9860f5800] - tools: update nixpkgs-unstable to a6522db5b947cd7026a40d02acc3ca26136 (Node.js GitHub Bot) #62596
• [ae41e2a141] - tools: bump the eslint group in /tools/eslint with 2 updates (dependabot[bot]) #62552
• [e2ba824407] - tools: allow triagers to queue a PR for CI until it's reviewed (Antoine du Hamel) #62524
• [899d780f15] - tools: do not run commit-lint on release proposals (Antoine du Hamel) #62523
• [102da27b4e] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #62574
• [3abd78c3e5] - url: optimize URLSearchParams set/delete duplicate handling (Gürgün Dayıoğlu) #62266
• [fd3bf3830b] - url: align default argument handling for URLPattern with webidl (Filip Skokan) #62719
• [b85c73ff10] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556
• [c1d6b3db73] - v8: add cpu profile options (Ilyas Shabi) #62684
• [717d9a7fda] - v8: add heap profile API (Ilyas Shabi) #62273
• [2b885667a9] - watch: track worker entry files in watch mode (SudhansuBandha) #62368
• [457fb55193] - watch: fix --env-file-if-exists crashing on linux if the file is missing (Efe) #61870

We're excited to announce the release of Node.js 26! Highlights include the Temporal API enabled by default, updates to the V8 JavaScript engine to 14.6, Undici to 8.0, and several important deprecations and removals as we continue to modernize the platform.

As a reminder, Node.js 26 will enter long-term support (LTS) in October, but until then, it will be the "Current" release for the next six months. We encourage you to explore the new features and benefits offered by this latest release and evaluate their potential impact on your applications.

The Temporal API is now enabled by default in Node.js 26. Temporal is a modern date/time API for JavaScript that provides a more robust and feature-rich alternative to the legacy Date object.

Contributed by Richard Lau in #61806.

The V8 engine is updated to version 14.6.202.33, which is part of Chromium 134.

This version also includes:

• Upsert (https://github.com/tc39/proposal-upsert): [Weak]Map.prototype.getOrInsert(), [Weak]Map.prototype.getOrInsertComputed()
• Iterator sequencing (https://github.com/tc39/proposal-iterator-sequencing): Iterator.concat()

Contributed by Michaël Zasso in #61898.

Undici has been updated to version 8.0.2, bringing new features and improvements to Node.js's HTTP client implementation.

• [dff46c07c3] - (SEMVER-MAJOR) crypto: move DEP0182 to End-of-Life (Tobias Nießen) #61084
• [93c25815ee] - (SEMVER-MAJOR) http: move writeHeader to end-of-life (Sebastian Beltran) #60635

http.Server.prototype.writeHeader() is now fully removed. Use http.Server.prototype.writeHead() instead.

• [c755b0113c] - (SEMVER-MAJOR) stream: move _stream_* to end-of-life (Sebastian Beltran) #60657

The legacy _stream_wrap, _stream_readable, _stream_writable, _stream_duplex, _stream_transform, and _stream_passthrough modules are now fully removed.

• [adac077484] - (SEMVER-MAJOR) crypto: runtime-deprecate DEP0203 and DEP0204 (Filip Skokan) #62453
• [ac6375417a] - (SEMVER-MAJOR) stream: promote DEP0201 to runtime deprecation (René) #62173
• [98907f560f] - (SEMVER-MAJOR) module: runtime-deprecate module.register() (Geoffrey Booth) #62401
• [89f4b6cddb] - (SEMVER-MAJOR) module: remove --experimental-transform-types (Marco Ippolito) #61803

• [d3f79aa65d] - (SEMVER-MAJOR) assert: allow printf-style messages as assertion error (Ruben Bridgewater) #58849
• [f6ce381fec] - (SEMVER-MAJOR) build: bump GCC requirement to 13.2 (Michaël Zasso) #62555
• [bff81fca46] - (SEMVER-MAJOR) build: enable Temporal by default (Richard Lau) #61806
• [6ddb1643e1] - (SEMVER-MAJOR) build: enable V8_VERIFY_WRITE_BARRIERS in debug build (Joyee Cheung) #61898
• [a8ab08b373] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #61898
• [0998c37eb6] - (SEMVER-MAJOR) build: target Power 9 for AIX/IBM i (Richard Lau) #62296
• [d73c49e849] - (SEMVER-MAJOR) build: drop support for Python 3.9 (Mike McCready) #61177
• [3c92ee1008] - (SEMVER-MAJOR) build: enable maglev for Linux on s390x (Richard Lau) #60863
• [908c468828] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #60488
• [6380fbb5ee] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #60111
• [089d6c77e7] - (SEMVER-MAJOR) (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) #61898
• [f9bd0165c4] - (SEMVER-MAJOR) build,win: fix Temporal build (StefanStojanovic) #61806
• [6cc4cf8fe8] - (SEMVER-MAJOR) crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #62499
• [adac077484] - (SEMVER-MAJOR) crypto: runtime-deprecate DEP0203 and DEP0204 (Filip Skokan) #62453
• [74509b166a] - (SEMVER-MAJOR) crypto: decorate async crypto job errors with OpenSSL error details (Filip Skokan) #62348
• [da5843b91d] - (SEMVER-MAJOR) crypto: default ML-KEM and ML-DSA pkcs8 export to seed-only format (Filip Skokan) #62178
• [dff46c07c3] - (SEMVER-MAJOR) crypto: move DEP0182 to End-of-Life (Tobias Nießen) #61084
• [94cd600542] - (SEMVER-MAJOR) crypto: fix DOMException name for non-extractable key error (Filip Skokan) #60830
• [dae2219cca] - (SEMVER-MAJOR) deps: V8: cherry-pick 0f024d4e66e0 (ishabi) #62408
• [15d406c1b1] - (SEMVER-MAJOR) deps: fix V8 race condition for AIX (Abdirahim Musse) #61898
• [46852d2d7a] - (SEMVER-MAJOR) deps: V8: cherry-pick cd2c216e7658 (LuYahan) #61898
• [784431d6fc] - (SEMVER-MAJOR) deps: V8: backport 088b7112e7ab (Igor Sheludko) #61898
• [3839c4a756] - (SEMVER-MAJOR) deps: V8: cherry-pick 00f6e834029f (Joyee Cheung) #61898
• [44f64f1dd9] - (SEMVER-MAJOR) deps: V8: backport bef0d9c1bc90 (Joyee Cheung) #61898
• [1f8f288e22] - (SEMVER-MAJOR) deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #61898
• [d7eccac9ad] - (SEMVER-MAJOR) deps: V8: cherry-pick daf4656ba85e (Milad Fa) #61898
• [3ee1ea7d0b] - (SEMVER-MAJOR) deps: V8: cherry-pick d83f479604c8 (Joyee Cheung) #61898
• [80907c0239] - (SEMVER-MAJOR) deps: V8: cherry-pick edeb0a4fa181 (Joyee Cheung) #61898
• [5e0dc169e9] - (SEMVER-MAJOR) deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #61898
• [8c1f7adbcd] - (SEMVER-MAJOR) deps: patch V8 to fix Windows build (StefanStojanovic) #61898
• [3cbd3404d9] - (SEMVER-MAJOR) deps: V8: cherry-pick highway@989a498fdf3 (Richard Lau) #61898
• [9f2b7d4031] - (SEMVER-MAJOR) deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #61898
• [947ec32118] - (SEMVER-MAJOR) deps: patch V8 for illumos (Dan McDonald) #61898
• [0660b942b2] - (SEMVER-MAJOR) deps: remove problematic comment from v8-internal (Michaël Zasso) #61898
• [bef7b31a3f] - (SEMVER-MAJOR) deps: define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #61898
• [a10bf1e6ce] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #61898
• [cc547428e1] - (SEMVER-MAJOR) deps: update V8 to 14.6.202.33 (Michaël Zasso) #61898
• [b81d2cbcae] - (SEMVER-MAJOR) deps: update undici to 8.0.2 (Node.js GitHub Bot) #62384
• [bf5c6a8bd4] - (SEMVER-MAJOR) deps: V8: backport 151d0a44a1b2 (Abdirahim Musse) #60488
• [b59af772dc] - (SEMVER-MAJOR) deps: V8: cherry-pick 47800791b35c (Jakob Kummerow) #60488
• [5e41e5228a] - (SEMVER-MAJOR) deps: patch V8 for illumos (Dan McDonald) #59805
• [2243e58e43] - (SEMVER-MAJOR) deps: use std::map in MSVC STL for EphemeronRememberedSet (Joyee Cheung) #58070
• [4157964c42] - (SEMVER-MAJOR) deps: remove problematic comment from v8-internal (Michaël Zasso) #58070
• [7c8483a4e9] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #54077
• [53379f3706] - (SEMVER-MAJOR) deps: update V8 to 14.3.127.12 (Michaël Zasso) #60488
• [f819aec288] - (SEMVER-MAJOR) deps: V8: cherry-pick ff34ae20c8e3 (Chengzhong Wu) #60111
• [1acd8df36f] - (SEMVER-MAJOR) deps: V8: backport fed47445bbdd (Abdirahim Musse) #60111
• [46f72577a4] - (SEMVER-MAJOR) deps: patch V8 for illumos (Dan McDonald) #59805
• [39eb88eaa8] - (SEMVER-MAJOR) deps: use std::map in MSVC STL for EphemeronRememberedSet (Joyee Cheung) #58070
• [ea3d14eadb] - (SEMVER-MAJOR) deps: remove problematic comment from v8-internal (Michaël Zasso) #58070
• [7bc0f245b4] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #54077
• [c2843b722c] - (SEMVER-MAJOR) deps: update V8 to 14.2.231.9 (Michaël Zasso) #60111
• [b4ea323833] - (SEMVER-MAJOR) diagnostics_channel: ensure tracePromise consistency with non-Promises (René) #61766
• [0c08835f71] - (SEMVER-MAJOR) doc: remove extensionless CJS exception for type:module packages (Matteo Collina) #62176
• [ef0f0b0865] - (SEMVER-MAJOR) doc: update supported Windows SDK version to 11 (Mike McCready) #61973
• [a00d95c73d] - (SEMVER-MAJOR) doc: drop p8 and z13 support (Milad Fa) #61005
• [93c25815ee] - (SEMVER-MAJOR) http: move writeHeader to end-of-life (Sebastian Beltran) #60635
• [4346c0f7a7] - (SEMVER-MAJOR) http: fix handling of HTTP upgrades with bodies (Tim Perry) #60016
• [fa70327610] - (SEMVER-MAJOR) lib: return undefined for localStorage without file (Matteo Collina) #61333
• [b328bf74bd] - (SEMVER-MAJOR) lib,src: implement QuotaExceededError as DOMException-derived interface (Filip Skokan) #62293
• [98907f560f] - (SEMVER-MAJOR) module: runtime-deprecate module.register() (Geoffrey Booth) #62401
• [89f4b6cddb] - (SEMVER-MAJOR) module: remove --experimental-transform-types (Marco Ippolito) #61803
• [5334433437] - (SEMVER-MAJOR) src: replace uses of deprecated v8::External APIs (gahaas) #61898
• [46e75f4874] - (SEMVER-MAJOR) src: stop using v8::PropertyCallbackInfo<T>::This() (Igor Sheludko) #61898
• [54fefda0aa] - (SEMVER-MAJOR) src: avoid deprecated Wasm API (Clemens Backes) #61898
• [840f509bd1] - (SEMVER-MAJOR) src: avoid deprecated FixedArray::Get (Clemens Backes) #61898
• [75c3bcc3ec] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 147 (Michaël Zasso) #61898
• [8480f87375] - (SEMVER-MAJOR) src: remove deprecated and unused isolate fields (Michaël Zasso) #60488
• [70b6bd8e19] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 144 (Michaël Zasso) #60488
• [7d2bc5249b] - (SEMVER-MAJOR) src: include node_api_types.h instead of node_api.h in node.h (Anna Henningsen) #60496
• [91ab1101bc] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 142 (Michaël Zasso) #60111
• [ac6375417a] - (SEMVER-MAJOR) stream: promote DEP0201 to runtime deprecation (René) #62173
• [c755b0113c] - (SEMVER-MAJOR) stream: move _stream_* to end-of-life (Sebastian Beltran) #60657
• [fadb214d95] - (SEMVER-MAJOR) stream: readable read one buffer at a time (Robert Nagy) #60441
• [4fe325d93d] - (SEMVER-MAJOR) stream: preserve AsyncLocalStorage on finished only when needed (avcribl) #59873
• [7682e7e9c5] - (SEMVER-MAJOR) test: skip wasm allocation tests in workers (Michaël Zasso) #61898
• [ebfaf25870] - (SEMVER-MAJOR) test: update wpt Wasm jsapi expectations (Michaël Zasso) #61898
• [ece6a17574] - (SEMVER-MAJOR) test: support presence of Temporal global (Michaël Zasso) #61898
• [75b8d7a912] - (SEMVER-MAJOR) test: add type tags to uses of v8::External (gahaas) #61898
• [092a448ad0] - (SEMVER-MAJOR) test: fix test-linux-perf-logger for V8 14.3 (Michaël Zasso) #60488
• [8eb9c8f794] - (SEMVER-MAJOR) tools: remove v8_initializers_slow workaround from v8.gyp (Michaël Zasso) #61898
• [a34fe77fe7] - (SEMVER-MAJOR) tools: add Rust args to tools/make-v8.sh (Richard Lau) #61898
• [f4666bd6e3] - (SEMVER-MAJOR) tools: update V8 gypfiles for 14.6 (Michaël Zasso) #61898
• [3c23d217a6] - (SEMVER-MAJOR) tools: update V8 gypfiles for 14.5 (Michaël Zasso) #61898
• [e508489e37] - (SEMVER-MAJOR) tools: update V8 gypfiles for 14.4 (Michaël Zasso) #61898
• [dc97b507d0] - (SEMVER-MAJOR) util: mark proxied objects as such when inspecting them (Ruben Bridgewater) #61029
• [ddbe1365ff] - (SEMVER-MAJOR) util: reduce TextEncoder.encodeInto function size (Yagiz Nizipli) #60339

• [d4fa60cf9f] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) #62240

• [4d8834fbef] - build: add rust target for macOS cross compiles (Richard Lau) #63015
• [a4edab8dfb] - build: use CARGO environment variable if set (Richard Lau) #62421
• [ecf8721076] - build: add weak symbol detection to export script (Abdirahim Musse) #62656
• [5b9f811662] - build: filter hidden visibility symbols on AIX (Abdirahim Musse) #62656
• [2e724793e6] - build: aix add conditonal flags for clang builds (Abdirahim Musse) #62656
• [f212aee483] - build: enable temporal on GHA macOS build (Chengzhong Wu) #61691
• [159ae48f8c] - build: add cargo and rustc checks for Temporal (Richard Lau) #61467
• [a004535617] - build: add temporal to linux GHA build (Chengzhong Wu) #60942
• [9df9b66c18] - crypto: add support for Ed25519 context parameter (Filip Skokan) #62474
• [c3042c605b] - crypto: recognize raw formats in keygen (Filip Skokan) #62480
• [ce0f498def] - deps: V8: cherry-pick fcf8b990c73c (Abdirahim Musse) #62894
• [b7fab70d56] - Revert "deps: V8: cherry-pick 7107287" (Richard Lau) #62894
• [d936c30fb4] - deps: V8: cherry-pick 7107287 (Abdirahim Musse) #62656
• [c91d00b6d4] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656
• [0474a27c06] - deps: libuv: revert 3a9a6e3e6b (Antoine du Hamel) #62511
• [7547e795ef] - deps: update icu to 78.3 (Node.js GitHub Bot) #62324
• [5bebd7eaea] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #61829
• [87d7db1918] - deps: patch V8 to 14.3.127.18 (Node.js GitHub Bot) #61421
• [9d27d9a393] - deps: patch V8 to 14.3.127.17 (Node.js GitHub Bot) #61058
• [bfc729cf19] - deps: patch V8 to 14.3.127.16 (Node.js GitHub Bot) #60819
• [8716146d5b] - deps: patch V8 to 14.3.127.14 (Node.js GitHub Bot) #60743
• [da71ab6895] - deps: V8: cherry-pick highway@989a498fdf3 (Richard Lau) #60682
• [72d719dc00] - deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #58237
• [ecca2b0d64] - deps: define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #56238
• [baefd4d5e2] - deps: patch V8 to 14.2.231.17 (Node.js GitHub Bot) #60647
• [76d6be5fc5] - deps: patch V8 to 14.2.231.16 (Node.js GitHub Bot) #60544
• [e0ca993514] - deps: patch V8 to 14.2.231.14 (Node.js GitHub Bot) #60413
• [de8386de4d] - deps: V8: cherry-pick f93055fbd5aa (Olivier Flückiger) #60105
• [710105bab5] - deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #58237
• [6e5f3b9fe1] - deps: define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #56238
• [b2c5235254] - doc: fix stray carriage return in packages.md (Filip Skokan) #62350
• [f38a739623] - doc: reserve NMV 146 for Electron 42 (Niklas Wenzel) #62124
• [a57893b799] - doc: add Temporal section to Table of Contents (Richard Lau) #61805
• [d4cc54b8c8] - doc: fix v24 changelog after security release (Marco Ippolito) #61371
• [659fd01b3e] - doc: fix v22 changelog after security release (Marco Ippolito) #61371
• [6c96a63891] - doc: fix v20 changelog after security release (Marco Ippolito) #61371
• [a18f8c1693] - doc: reserve NMV 145 for Electron 41 (Niklas Wenzel) #61291
• [253b16fe14] - doc: add note about rust toolchain version requirement (Chengzhong Wu) #60942
• [0177491df2] - doc: restore REPLACEME on assert change (Michaël Zasso) #60848
• [dec0213c83] - doc: add known issue to v24.11.0 release notes (Richard Lau) #60467
• [f7ca0ae765] - doc: remove Corepack documentation page (Antoine du Hamel) #57663
• [a7d9c49490] - doc: reserve NMV 143 for Electron 40 (Shelley Vohr) #60386
• [04a086a1f4] - esm: use wasm version of cjs-module-lexer (Joyee Cheung) #60663
• [a27052f2e0] - Revert "inspector: fix compressed responses" (Antoine du Hamel) #61502
• [186c7a9c74] - inspector: fix compressed responses (Ruben Nogueira) #61226
• [012bf70908] - process: optimize asyncHandledRejections by using FixedQueue (Gürgün Dayıoğlu) #60854
• [1a88acbfa2] - quic: fixup linting/formatting issues (James M Snell) #62387
• [79b960a2bc] - quic: update http3 impl details (James M Snell) #62387
• [57186e5827] - quic: fix a handful of bugs and missing functionality (James M Snell) #62387
• [637bda0238] - sqlite: enable Percentile extension (Jurj Andrei George) #61295
• [e619adfb86] - src: workaround AIX libc++ std::filesystem bug (Richard Lau) #62788
• [79262ff860] - src: do not enable wasm trap handler if there's not enough vmem (Joyee Cheung) #62132
• [2422ed8b5b] - src: remove redundant experimental_transform_types from node_options.h (沈鸿飞) #62058
• [a86db6be70] - src: simplify handling of kNoAuthTagLength (Tobias Nießen) #61192
• [d546e7fd0b] - src: tag more v8 aligned pointer slots (Chengzhong Wu) #60666
• [b8e264d3c3] - src: tag v8 aligned pointer slots with embedder data type tags (Chengzhong Wu) #60602
• [cd391b5f11] - test: wpt for Wasm jsapi including new ESM Integration tests (Guy Bedford) #59034
• [1baafcc882] - test: update WPT resources, interfaces and WebCryptoAPI (Node.js GitHub Bot) #62389
• [6a84d4a17c] - tools: update nixpkgs-unstable to 832efc09b4caf6b4569fbf9dc01bec3082a (Node.js GitHub Bot) #62486
• [a98d9f6ad7] - tools: update nixpkgs-unstable to 9cf7092bdd603554bd8b63c216e8943cf9b (Node.js GitHub Bot) #62383
• [f6d02af01f] - tools: update nixpkgs-unstable to f82ce7af0b79ac154b12e27ed800aeb9741 (Node.js GitHub Bot) #62258
• [5b5f069a27] - tools: bump nixpkgs-unstable pin to e38213b91d3786389a446dfce4ff5a8aaf6 (Node.js GitHub Bot) #62052
• [13eb80f3b7] - tools: update nixpkgs-unstable to d1c15b7d5806069da59e819999d70e1cec0 (Node.js GitHub Bot) #61931
• [4d1557a744] - tools: update nixpkgs-unstable to 2343bbb58f99267223bc2aac4fc9ea301a1 (Node.js GitHub Bot) #61831
• [ecd979c95a] - tools: update nixpkgs-unstable to ae67888ff7ef9dff69b3cf0cc0fbfbcd3a7 (Node.js GitHub Bot) #61733
• [7de56bdee2] - tools: update nixpkgs-unstable to 6308c3b21396534d8aaeac46179c14c439a (Node.js GitHub Bot) #61606
• [e33ce7a6fe] - tools: update nixpkgs-unstable to ab9fbbcf4858bd6d40ba2bbec37ceb4ab6e (Node.js GitHub Bot) #61513
• [ba05a66774] - tools: update nixpkgs-unstable to be5afa0fcb31f0a96bf9ecba05a516c66fc (Node.js GitHub Bot) #61420
• [bb5d066989] - tools: update nixpkgs-unstable to 3146c6aa9995e7351a398e17470e15305e6 (Node.js GitHub Bot) #61340
• [d050aa87e8] - tools: update nixpkgs-unstable to 16c7794d0a28b5a37904d55bcca36003b91 (Node.js GitHub Bot) #61272
• [2696391b18] - tools: update nixpkgs-unstable to 3edc4a30ed3903fdf6f90c837f961fa6b49 (Node.js GitHub Bot) #61188
• [c5d3f5f9c8] - tools: update nixpkgs-unstable to 7d853e518814cca2a657b72eeba67ae20eb (Node.js GitHub Bot) #61137
• [dcb9573d0f] - tools: update nixpkgs-unstable to f997fa0f94fb1ce55bccb97f60d41412ae8 (Node.js GitHub Bot) #61057
• [bd426739dc] - tools: update nixpkgs-unstable to a672be65651c80d3f592a89b3945466584a (Node.js GitHub Bot) #60980
• [85852a3221] - tools: update nixpkgs-unstable to 59b6c96beacc898566c9be1052ae806f383 (Node.js GitHub Bot) #60900
• [1e7eb90b39] - tools: update nixpkgs-unstable to a8d610af3f1a5fb71e23e08434d8d61a466 (Node.js GitHub Bot) #60818
• [fb6b83c9ef] - tools: lint Temporal global (René) #60793
• [adb40439ca] - tools: update nixpkgs-unstable to 71cf367cc2c168b0c2959835659c38f0a34 (Node.js GitHub Bot) #60742
• [8a76958005] - tools: update nixpkgs-unstable to ffcdcf99d65c61956d882df249a9be53e59 (Node.js GitHub Bot) #60315

• [3d87ecacbc] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [83c38672f7] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959
• [54ef940e01] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) #62240
• [f4a3edc47a] - (SEMVER-MINOR) fs: add throwIfNoEntry option for fs.stat and fs.promises.stat (Juan José) #61178
• [5cdcba17cc] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713
• [8b6be3fe14] - module: mark require(esm) as stable (Joyee Cheung) #60959
• [68fbc0c6cc] - module: mark module compile cache as stable (Joyee Cheung) #60971
• [c851e76f8c] - (SEMVER-MINOR) net: add setTOS and getTOS to Socket (Amol Yadav) #61503
• [6ac4304c87] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298
• [aaf9af1672] - sqlite: mark as release candidate (Matteo Collina) #61262
• [eb77a7a297] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869
• [6834ca13bb] - (SEMVER-MINOR) stream: rename Duplex.toWeb() type option to readableType (René) #61632
• [f5f21d36a6] - test_runner: add exports option for module mocks (sangwook) #61727
• [1f2025fd1e] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394
• [1ca20fc33d] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #61676

• [148373cea1] - assert,util: improve comparison performance (Ruben Bridgewater) #61176
• [e5558b0859] - assert,util: fix deep comparing invalid dates skipping properties (Ruben Bridgewater) #61076
• [83cffd92b5] - async_hooks: enabledHooksExist shall return if hooks are enabled (Gerhard Stöbich) #61054
• [2c9436b43d] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084
• [837acd7382] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #61769
• [a6ced7d272] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871
• [a82003bf8b] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721
• [83dfd0be1d] - buffer: disallow ArrayBuffer transfer on pooled buffer (Chengzhong Wu) #61372
• [ed2d0cb1bf] - build: support empty libname flags in configure.py (Antoine du Hamel) #62477
• [09f7920267] - build: fix timezone-update path references (Chengzhong Wu) #62280
• [af46b15b91] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #61811
• [2cf77eadd1] - build: generate_config_gypi.py generates valid JSON (Shelley Vohr) #61791
• [e0220f0c35] - build: build with v8 gdbjit support on supported platform (Joyee Cheung) #61010
• [5505511dcb] - build: enable -DV8_ENABLE_CHECKS flag (Ryuhei Shima) #61327
• [5f8ecf3940] - build: add --debug-symbols to build with -g without enabling DCHECKs (Joyee Cheung) #61100
• [ab18c0867b] - build: fix --node-builtin-modules-path (Filip Skokan) #62115
• [bfa60d5782] - build: fix GN for new merve dep (Shelley Vohr) #61984
• [0d1975fe3a] - build,win: add WinGet Visual Studio 2022 Build Tools Edition config (Mike McCready) #61652
• [10b2bb5fa6] - child_process: add tracing channel for spawn (Marco) #61836
• [3d87ecacbc] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [83c38672f7] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959
• [9d37233824] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485
• [b0cbfe38a4] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254
• [dc034a4ac9] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218
• [8aa6e706df] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169
• [20cb932bcf] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170
• [e2934162b4] - crypto: add missing AES dictionaries (Filip Skokan) #62099
• [8b8db52f65] - crypto: fix importKey required argument count check (Filip Skokan) #62099
• [bd5458db29] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888
• [7302c7ed22] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #61885
• [8d0c22ea20] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788
• [72aad8b40f] - crypto: always return certificate serial numbers as uppercase (Anna Henningsen) #61752
• [2395fc0f4d] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875
• [541be3aaf2] - crypto: recognize raw formats in keygen (Filip Skokan) #62480
• [54ef940e01] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) #62240
• [bef1949823] - deps: V8: cherry-pick 33e7739c134d (Thibaud Michaud) #62567
• [2e1a565a55] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414
• [d0418bad10] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164
• [53aad66415] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484
• [90fab71a84] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382
• [a416ddf6d9] - deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #62449
• [4d9123e57d] - deps: upgrade npm to 11.12.1 (npm team) #62448
• [952d715028] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256
• [f3fd7ed426] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927
• [71a2f82d7c] - deps: upgrade npm to 11.11.1 (npm team) #62216
• [84f60c26f7] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151
• [43159d0e5f] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150
• [b887657b38] - deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #62136
• [7ab885b323] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #62049
• [671ddec2b9] - deps: update minimatch to 10.2.4 (Node.js GitHub Bot) #62016
• [290fe37d4d] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930
• [a13bee76b5] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928
• [f0e40b35b9] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925
• [463dfa023a] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830
• [4b2e4bb108] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #61879
• [5626cb83d0] - deps: remove stale OpenSSL arch configs (René) #61834
• [52668874fd] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827
• [b3387b07b1] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731
• [196268cb4c] - deps: V8: cherry-pick c5ff7c4d6cde (Chengzhong Wu) #61372
• [36869b52de] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213
• [3cbac055de] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #62149
• [7757cc3495] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61670
• [359797c2fb] - deps,src: prepare for cpplint update (Michaël Zasso) #60901
• [ace802e59b] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #62123
• [a072411b03] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #62243
• [0b152449af] - doc: fix typo in --disable-wasm-trap-handler description (Dmytro Semchuk) #61820
• [73ea387ad7] - doc: remove obsolete Boxstarter automated install (Mike McCready) #61785
• [7f234add8e] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #62395
• [12fc3c6a30] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #62456
• [1ecc5962a2] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #62492
• [56741a1303] - doc: move sqlite type conversion section to correct level (René) #62482
• [12b04d17d5] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423
• [c4567e4a8d] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206
• [384a41047f] - doc: enhance clarification about the main field (Mowafak Almahaini) #62302
• [93d19b1a1c] - doc: minor typo fix (Jeff Matson) #62358
• [3db35d2c59] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355
• [57b105c9d5] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #62321
• [490168c993] - doc: fix small environment_variables typo (chris) #62279
• [0291be584b] - doc: test and test-only targets do not run linter (Xavier Stouder) #62120
• [ba0a82a1e1] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208
• [125bdbf504] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #62249
• [a141ad0aeb] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #62202
• [44bde8e573] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #62075
• [8c46a1ca1a] - doc: copyedit addons.md (Antoine du Hamel) #62071
• [7f989f02f7] - doc: correct util.convertProcessSignalToExitCode validation behavior (René) #62134
• [a4466ebdac] - doc: add efekrskl as triager (Efe) #61876
• [db516eca3a] - doc: fix markdown for expectFailure values (Jacob Smith) #62100
• [ad97045125] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #62002
• [309f37ba42] - doc: expand SECURITY.md with non-vulnerability examples (Rafael Gonzaga) #61972
• [dbb3551b7b] - doc: separate in-types and out-types in SQLite conversion docs (René) #62034
• [191c433db8] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #62025
• [8511b1c784] - doc: fix module.stripTypeScriptTypes indentation (René) #61992
• [dd1139f52c] - doc: update DEP0040 (punycode) to application type deprecation (Mike McCready) #61916
• [54009e9c62] - doc: explicitly mention Slack handle (Rafael Gonzaga) #61986
• [78fa1a1a49] - doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK (Mike McCready) #61864
• [d8204d3cdb] - doc: rename invalid function parameter (René) #61942
• [a5a14482fb] - doc: clarify status of feature request issues (Antoine du Hamel) #61505
• [bd0688feb6] - doc: add esm and cjs examples to node:vm (Alfredo González) #61498
• [240b512f9f] - doc: clarify build environment is trusted in threat model (Matteo Collina) #61865
• [5dd48e3456] - doc: remove incorrect mention of module in typescript.md (Rob Palmer) #61839
• [9502c22055] - doc: simplify addAbortListener example (Chemi Atlow) #61842
• [6fec397828] - doc: clean up globals.md (René) #61822
• [a810f5ccef] - doc: clarify async caveats for events.once() (René) #61572
• [2bf990bb1a] - doc: update Juan's security steward info (Juan José) #61754
• [0312db948d] - doc: fix methods being documented as properties in process.md (Antoine du Hamel) #61765
• [e558b26e7f] - doc: add riscv64 info into platform list (Lu Yahan) #42251
• [49254e3dc0] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #61735
• [4ff01b5c10] - doc: fix spacing in process message event (Aviv Keller) #61756
• [94097a79d6] - doc: move describe/it aliases section before expectFailure (Luca Raveri) #61567
• [b7cd31acbe] - doc: fix broken links of net.md (YuSheng Chen) #61673
• [ae5e353fe2] - doc: clean up Windows code snippet in child_process.md (reillylm) #61422
• [ea9beb6a3c] - doc: update to Visual Studio 2026 manual install (Mike McCready) #61655
• [42057c84e2] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #61959
• [a035bd5235] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #62244
• [deb0b78460] - esm: fix typo in worker loader hook comment (jakecastelli) #62475
• [b93bf7dbfc] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #62415
• [679d18b57f] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #62080
• [171e9fc268] - esm: update outdated FIXME comment in translators.js (Karan Mangtani) #61715
• [cc19728228] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #62261
• [458c92be52] - events: don't call resume after close (Сковорода Никита Андреевич) #60548
• [4691f3e7fb] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950
• [f4a3edc47a] - (SEMVER-MINOR) fs: add throwIfNoEntry option for fs.stat and fs.promises.stat (Juan José) #61178
• [58e4d50cd0] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #62095
• [0a4ad85ab0] - http: validate ClientRequest path on set (Matteo Collina) #62030
• [f8178ac3e6] - http: validate headers in writeEarlyHints (Richard Clarke) #61897
• [899884d0ed] - http: remove redundant keepAliveTimeoutBuffer assignment (Efe) #61743
• [08d2e40694] - http: attach error handler to socket synchronously in onSocket (RajeshKumar11) #61770
• [1c2064c1f8] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #61710
• [38e9c66e0f] - http2: add strictSingleValueFields option to relax header validation (Tim Perry) #59917
• [5cdcba17cc] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713
• [687c0acd00] - http2: fix FileHandle leak in respondWithFile (sangwook) #61707
• [0c8f802ec2] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487
• [7de8a303c1] - inspector: unwrap internal/debugger/inspect imports (René) #61974
• [59ac10a4fd] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #62307
• [9dc102ba90] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #62226
• [78a9aa8f32] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990
• [16b8cc6643] - lib: improve argument handling in Blob constructor (Ms2ger) #61980
• [a03b5d39b8] - lib: reduce cycles in esm loader and load it in snapshot (Joyee Cheung) #61769
• [1017bf5f86] - lib: remove top-level getOptionValue() calls in lib/internal/modules (Joyee Cheung) #61769
• [d79984b41b] - lib: optimize styleText when validateStream is false (Rafael Gonzaga) #61792
• [6462b89d10] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #62063
• [5bb89916ea] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #62062
• [b067d74d94] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064
• [830e5cd125] - meta: bump github/codeql-action from 4.32.0 to 4.32.4 (dependabot[bot]) #61911
• [16c839a3dd] - meta: bump step-security/harden-runner from 2.14.1 to 2.14.2 (dependabot[bot]) #61909
• [498abf661e] - meta: bump actions/stale from 10.1.1 to 10.2.0 (dependabot[bot]) #61908
• [78ac17f426] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #62133
• [46cfad4138] - module: run require.resolve through module.registerHooks() (Joyee Cheung) #62028
• [8b6be3fe14] - module: mark require(esm) as stable (Joyee Cheung) #60959
• [68fbc0c6cc] - module: mark module compile cache as stable (Joyee Cheung) #60971
• [c851e76f8c] - (SEMVER-MINOR) net: add setTOS and getTOS to Socket (Amol Yadav) #61503
• [4c206ecb31] - quic: remove CryptoKey support from session keys option (Filip Skokan) #62335
• [2f9c085cf5] - sqlite: handle stmt invalidation (Guilherme Araújo) #61877
• [6ac4304c87] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298
• [aaf9af1672] - sqlite: mark as release candidate (Matteo Collina) #61262
• [7d67e5d693] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #62103
• [d8ea1aaa8a] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103
• [1dbf3bedbe] - src: improve EC JWK import performance (Filip Skokan) #62396
• [cd84af747b] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #62343
• [4f553cdc01] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410
• [70f8057258] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268
• [d788467b6a] - src: expose async context frame debugging helper to JS (Anna Henningsen) #62103
• [4213f893ec] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) #61995
• [79fb8cbcf5] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #61122
• [2df328d59e] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948
• [eb77a7a297] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869
• [6cda3d30c0] - src: remove unnecessary c_str() conversions in diagnostic messages (Anna Henningsen) #61786
• [26c6045363] - src: use bool literals in TraceEnvVarOptions (Tobias Nießen) #61425
• [3c8f700fd7] - src: track allocations made by zstd streams (Anna Henningsen) #61717
• [94dbb36d4d] - src: do not store compression methods on Brotli classes (Anna Henningsen) #61717
• [bef661f182] - src: extract zlib allocation tracking into its own class (Anna Henningsen) #61717
• [e8079a8297] - src: release memory for zstd contexts in Close() (Anna Henningsen) #61717
• [6e1197a3cc] - src: add more checks and clarify docs for external references (Joyee Cheung) #61719
• [c28a22c4be] - src: fix cjs_lexer external reference registration (Joyee Cheung) #61718
• [9e2c5fd7c9] - src: simply uint32 to string as it must not fail (Chengzhong Wu) #60846
• [df435d32b8] - src: build v8 tick processor as built-in source text modules (Joyee Cheung) #60518
• [2cb3573735] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281
• [c44f53b544] - stream: preserve error over AbortError in pipeline (Marco) #62113
• [dc541370b4] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #62087
• [f6cdfbfaa7] - stream: optimize webstreams pipeTo (Mattias Buelens) #62079
• [fcf2a9f788] - stream: fix brotli error handling in web compression streams (Filip Skokan) #62107
• [cdec579c6b] - stream: improve Web Compression spec compliance (Filip Skokan) #62107
• [dbe5898379] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #61745
• [531e62cd74] - stream: fix TransformStream race on cancel with pending write (Marco) #62040
• [a3751f2249] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #61913
• [65aa8f68d0] - stream: fix pipeTo to defer writes per WHATWG spec (Matteo Collina) #61800
• [15f32b4935] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #61884
• [569767e52e] - stream: add fast paths for webstreams read and pipeTo (Matteo Collina) #61807
• [6834ca13bb] - (SEMVER-MINOR) stream: rename Duplex.toWeb() type option to readableType (René) #61632
• [5ed5474437] - test: update WPT for WebCryptoAPI to 2cb332d710 (Node.js GitHub Bot) #62483
• [3c9c0f8577] - test: fix test-buffer-zero-fill-cli to be effective (Сковорода Никита Андреевич) #60623
• [19a52a1abe] - test: update WPT for url to fc3e651593 (Node.js GitHub Bot) #62379
• [111ba9bd5b] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471
• [0897c6cc08] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470
• [1c3d93bfab] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112
• [83416a640a] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238
• [af8d0922dd] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #62226
• [fc9a60ec74] - test: update WPT for WebCryptoAPI to 6a1c545d77 (Node.js GitHub Bot) #62187
• [12ba2d74fe] - test: update WPT for url to c928b19ab0 (Node.js GitHub Bot) #62148
• [4e15e5b647] - test: update WPT for WebCryptoAPI to c9e955840a (Node.js GitHub Bot) #62147
• [dc66a05558] - test: improve WPT report runner (Filip Skokan) #62107
• [9536e5621b] - test: update WPT compression to ae05f5cb53 (Filip Skokan) #62107
• [fb1c0bda0a] - test: update WPT for WebCryptoAPI to 42e47329fd (Node.js GitHub Bot) #62048
• [d886f27485] - test: fix skipping behavior for test-runner-run-files-undefined (Antoine du Hamel) #62026
• [f79df03e0b] - test: remove unnecessary process.exit calls from test files (Antoine du Hamel) #62020
• [1319295467] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #62019
• [2ea06727c6] - test: skip strace test with shared openssl (Richard Lau) #61987
• [c0680d5df7] - test: avoid flaky debugger restart waits (Yuya Inoue) #61773
• [22b748ef72] - test: fix typos in test files (Daijiro Wachi) #61408
• [a20bf9a84d] - test: allow filtering async internal frames in assertSnapshot (Joyee Cheung) #61769
• [ec2913f036] - test: unify assertSnapshot stacktrace transform (Chengzhong Wu) #61665
• [460f41233d] - test: check stability block position in API markdown (René) #58590
• [9ad02065d5] - test: adapt buffer test for v8 sandbox (Shelley Vohr) #61772
• [5cf001736e] - test: update FileAPI tests from WPT (Ms2ger) #61750
• [84c7a23223] - test: update WPT for WebCryptoAPI to 7cbe7e8ed9 (Node.js GitHub Bot) #61729
• [276a32fd10] - test: update WPT for url to efb889eb4c (Node.js GitHub Bot) #61728
• [f5f21d36a6] - test_runner: add exports option for module mocks (sangwook) #61727
• [bfc8a12977] - test_runner: make it compatible with fake timers (Matteo Collina) #59272
• [e0cde40e1d] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #62282
• [d74efd6834] - test_runner: run afterEach on runtime skip (Igor Shevelenkov) #61525
• [8287ca749e] - test_runner: expose expectFailure message (sangwook) #61563
• [1f2025fd1e] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394
• [b1199c7bb4] - test_runner: replace native methods with primordials (Ayoub Mabrouk) #61219
• [1ca20fc33d] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #61676
• [207ba4f89f] - test_runner: fix suite rerun (Moshe Atlow) #61775
• [9927335c11] - tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket (Sergey Zelenov) #62004
• [a1c3c901c0] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #62439
• [1c6f5ed7c2] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #62478
• [b53377e8fe] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375
• [f102e79b80] - tools: bump eslint deps (Huáng Jùnliàng) #62356
• [f5d74f8216] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #62093
• [bc5b9a04ad] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255
• [bad48b9700] - tools: validate all commits that are pushed to main (Antoine du Hamel) #62246
• [795d663ff4] - tools: keep GN files when updating Merve (Antoine du Hamel) #62167
• [0b6fa913f1] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #62140
• [840e098e99] - tools: improve error handling in test426 update script (Rich Trott) #62121
• [bd34e53a8e] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #62092
• [54dc797644] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #62076
• [30476ddff7] - tools: fix example in release proposal linter (Richard Lau) #62074
• [5245900c05] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #62013
• [59ad1e4503] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #61905
• [6f93c4b287] - tools: fix parsing of commit trailers in lint-release-proposal GHA (Antoine du Hamel) #62077
• [de1bcfd54c] - tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/clang-format (dependabot[bot]) #61977
• [492868a7aa] - tools: fix permissions for merve update script (Richard Lau) #62023
• [774d0be1b3] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #62024
• [d91a689d6f] - tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/eslint (dependabot[bot]) #61976
• [34b6305933] - tools: roll back to x86 runner on scorecard.yml (Antoine du Hamel) #61944
• [937cd97a63] - tools: fix auto-start-ci (Antoine du Hamel) #61900
• [0958f9a9c7] - tools: do not checkout repo in auto-start-ci.yml (Antoine du Hamel) #61874
• [c7607b9208] - tools: automate updates for test/fixtures/test426 (Rich Trott) #60978
• [00df3c1273] - tools: bump unist-util-visit in /tools/doc in the doc group (dependabot[bot]) #61646
• [fe15b0d65e] - tools: bump the eslint group in /tools/eslint with 6 updates (dependabot[bot]) #61628
• [bc38db51fc] - tools: fix small inconsistencies in JSON doc output (Antoine du Hamel) #61757
• [3e7010d47f] - tools: refloat 10 Node.js patches to cpplint.py (Michaël Zasso) #60901
• [583e6c67ea] - tools: update cpplint to 2.0.2 (Michaël Zasso) #60901
• [4c12ab8abc] - typings: rationalise TypedArray types (René) #62174
• [8357ebfe54] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #62005
• [aad7b3cfca] - url: enable simdutf for ada (Yagiz Nizipli) #61477
• [7b28fb9812] - util: allow color aliases in styleText (sangwook) #62180
• [8bbe0138ce] - util: add fast path to stripVTControlCharacters (Hiroki Osame) #61833
• [f7a408d6f7] - wasm: support js string constant esm import (Guy Bedford) #62198
• [a0316d33b5] - watch: get flags from execArgv (Efe) #61779
• [eee96f7f5d] - worker: heap profile optimizations (Ilyas Shabi) #62201
• [deeeb22e1a] - worker: eliminate race condition in process.cwd() (giulioAZ) #61664
• [b15ea64ed9] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325
• [a9c5bd29c9] - zlib: add support for brotli compression dictionary (Andy Weiss) #61763

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been consolidated into a single option MockModuleOptions.exports to align with user expectations and other test runners.

A default property on MockModuleOptions.exports represents the default export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code: https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @nodejs/mock-module-exports

Contributed by sangwook in #61727.

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164
• [95c7fc67ba] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051
• [180c150122] - deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62c7ba2 (Yagiz Nizipli) #62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256
• [a9703d194a] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #62482
• [61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #62358
• [eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355
• [198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #62321
• [17e5aee6c5] - doc: fix small environment_variables typo (chris) #62279
• [193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #62120
• [4a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208
• [f976c9214d] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #62249
• [4d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #62202
• [71f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204
• [670c80893b] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #62075
• [2ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #62244
• [6c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #62475
• [1cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #62415
• [4f4ff15794] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #62080
• [088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #62261
• [0250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950
• [b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487
• [ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #62307
• [92ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #62226
• [40a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #62133
• [3ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #62335
• [3c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188
• [e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #62165
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158
• [fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #62396
• [d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #62343
• [0e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #62103
• [02980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410
• [064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268
• [ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066
• [03839fb087] - stream: preserve error over AbortError in pipeline (Marco) #62113
• [0000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #62087
• [3796a73719] - test: update WPT for WebCryptoAPI to 2cb332d710 (Node.js GitHub Bot) #62483
• [ad8309415b] - test: update WPT for url to fc3e651593 (Node.js GitHub Bot) #62379
• [bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471
• [c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470
• [fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #62066
• [1b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112
• [cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238
• [abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #62226
• [47a2132269] - test: update WPT for WebCryptoAPI to 6a1c545d77 (Node.js GitHub Bot) #62187
• [2c63d3006c] - test_runner: add exports option for module mocks (sangwook) #61727
• [44ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #59272
• [1865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #62282
• [0252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #62439
• [3368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #62437
• [5e47c359f5] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #62478
• [4a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438
• [d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375
• [c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #62356
• [7a2fcc6d41] - tools: do not swallow error in lint-nix workflow (Antoine du Hamel) #62292
• [c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #62093
• [56dfeb06df] - tools: fix timeout errors in lint-nix job (Antoine du Hamel) #62265
• [22fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255
• [409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #62250
• [67c69750f4] - tools: validate all commits that are pushed to main (Antoine du Hamel) #62246
• [7d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #62167
• [6c8fa42ba2] - typings: rationalise TypedArray types (René) #62174
• [531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #61477
• [2000caccde] - util: allow color aliases in styleText (sangwook) #62180
• [0aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #62198
• [d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #62201
• [e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325

This is a security release.

• (CVE-2026-21717) fix array index hash collision (Joyee Cheung) https://github.com/nodejs-private/node-private/pull/834
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) https://github.com/nodejs-private/node-private/pull/822
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) https://github.com/nodejs-private/node-private/pull/821
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) https://github.com/nodejs-private/node-private/pull/795
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) https://github.com/nodejs-private/node-private/pull/794
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) https://github.com/nodejs-private/node-private/pull/832
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) https://github.com/nodejs-private/node-private/pull/819

• [cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831
• [f333d0be5f] - deps: V8: override depot_tools version (Richard Lau) #62344
• [2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285
• [af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840
• [00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838
• [a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839

This is a security release.

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21711) include permission check to pipe_wrap.cc (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

• [2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
• [bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
• [be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216
• [2feea5bb97] - deps: V8: override depot_tools version (Richard Lau) #62344
• [86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820
• [04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a security release.

• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low

• [6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828
• [cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
• [f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
• [08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035
• [61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994
• [9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892
• [3dab3c4698] - deps: V8: override depot_tools version (Richard Lau) #62344
• [87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828
• [045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828
• [af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828
• [380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a security release.

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd95e5b (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

• [ea87eea71a] - module: fix extensionless CJS files in "type": "module" packages (Matteo Collina) #62083

• [bab750d1b3] - build: do not depend on V8 deps on --without-bundled-v8 builds (Antoine du Hamel) #62033
• [b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #60678
• [e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #62099
• [6f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #62099
• [3beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151
• [53afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150
• [a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #62149
• [2c850577b7] - deps: patch resb crate (Richard Lau) #62138
• [37862a6728] - deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #62136
• [09191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #62049
• [8d63a178fd] - doc: copyedit addons.md (Antoine du Hamel) #62071
• [83719ffb64] - doc: correct util.convertProcessSignalToExitCode validation behavior (René) #62134
• [eeee7c7fb1] - doc: add efekrskl as triager (Efe) #61876
• [db150b2e69] - doc: fix markdown for expectFailure values (Jacob Smith) #62100
• [d55a441e60] - doc: add title to index (Aviv Keller) #62046
• [cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #62002
• [1d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #61959
• [5198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #62095
• [f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990
• [5439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #62063
• [27fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #62062
• [5b266f3295] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064
• [ea87eea71a] - module: fix extensionless CJS files in "type": "module" packages (Matteo Collina) #62083
• [851228cd60] - sqlite: handle stmt invalidation (Guilherme Araújo) #61877
• [19efe60548] - src: expose async context frame debugging helper to JS (Anna Henningsen) #62103
• [0257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103
• [975dafbe3b] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) #61995
• [f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #61122
• [0278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #62079
• [4d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #62107
• [4bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #62107
• [a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #61745
• [5632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #62040
• [f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #61913
• [00319eaa3a] - test: update WPT for url to c928b19ab0 (Node.js GitHub Bot) #62148
• [456abc7d20] - test: update WPT for WebCryptoAPI to c9e955840a (Node.js GitHub Bot) #62147
• [82770cb7d3] - test: improve WPT report runner (Filip Skokan) #62107
• [cfc847d233] - test: update WPT compression to ae05f5cb53 (Filip Skokan) #62107
• [80f78f2737] - test: update WPT for WebCryptoAPI to 42e47329fd (Node.js GitHub Bot) #62048
• [8048e0508c] - test: fix skipping behavior for test-runner-run-files-undefined (Antoine du Hamel) #62026
• [699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #62140
• [1a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #62121
• [710dde5ee2] - tools: fix --node-builtin-modules-path value in shell.nix (Antoine du Hamel) #62102
• [dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #62092
• [7d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #62076
• [3e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #62074
• [772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #62013
• [92f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #61905
• [deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #62005